HyperFrames skill install — security review decision (2026-05-06)

Trigger

Founder shared HyperFrames catalog + GitHub on iMessage 2026-05-06 17:57 ET, then explicit greenlight 18:41 ET (“Let’s do both. Good to generalize our HyperFrames and HeyGen skills across projects”). Re-engaged with security findings 19:30 ET; founder responded 19:45 ET with the install-policy clarification (skills are prompt-injection risk, not binary risk; pre-update scan is the right pattern; bypass age-wait on first install with security review).

What was installed

Command: npx --yes skills@latest add heygen-com/hyperframes --skill '*' --global --yes --agent claude-code

Source repo: https://github.com/heygen-com/hyperframes (Apache-2.0, v0.5.2, 15.1k stars, 692 commits, HeyGen Inc. corp-owned)

13 skills installed at ~/.claude/skills/:

hyperframes — composition authoring, captions, TTS, transitions
hyperframes-cli — dev-loop CLI (init, lint, inspect, preview, render, transcribe, tts, doctor)
hyperframes-media — TTS (Kokoro), Whisper transcription, u2net background removal
hyperframes-registry — block + component installation
website-to-hyperframes — URL-to-video pipeline
remotion-to-hyperframes — Remotion port translator (1 Socket alert; see below)
gsap — GSAP timeline animation patterns
animejs — Anime.js animations and timelines
css-animations — CSS keyframe animation patterns
lottie — lottie-web + dotLottie player integration
three — Three.js scene patterns with hf-seek events
waapi — Web Animations API patterns
tailwind — Tailwind v4.2 browser-runtime patterns

Pre-install security review (per SOP)

Step 1 — Install path

npm package skills@1.5.5 by Guillermo Rauch (vercel-labs/skills) — copies SKILL.md files via cp / symlinks. NO postinstall scripts, NO arbitrary code execution at skills add time.
The skills CLI re-fetches the source repo’s main branch on every skills add / skills update invocation. No commit pinning by default.
Install-prompt-mutation vector: present but low probability for a corp-owned 15.1k-star repo.

Step 2 — Source code inspection

Sub-agent sampled 4 of 13 SKILL.md files (hyperframes, hyperframes-cli, hyperframes-media, three). Findings:

No eval / exec / dynamic-import patterns
No instructions to read ~/.aws/, ~/.ssh/, 1Password wrappers, .env files, or vault paths
No exfil prompts
No subprocess calls touching sensitive paths
The .claude-plugin/plugin.json declares zero hooks/scopes/permissions — pure metadata
Surface is what it advertises: video-composition guidance + CLI reference

Step 3 — Token analysis

No tokens / API keys requested at install time.
The hyperframes CLI runs fully local (Chrome + FFmpeg). Outbound calls observed: cdn.jsdelivr.net for Three.js/GSAP, model-download URLs on first invocation of TTS/transcribe/bg-remove subcommands.
No HeyGen API key required for OSS rendering pipeline.

Step 4 — Maintainer trust

HeyGen Corp: public, well-funded AI-video company, no security incidents on record.
Guillermo Rauch (skills package author): Vercel CEO, publicly trusted account, OSS history clean.

Step 5 — Worst-case blast radius

Compromised future SKILL.md update could prompt-inject Ray into reading vault → exfiltrating to a controlled URL via CLI shell-out.
Compromised npm publish of hyperframes CLI binary → arbitrary code execution as user, full read of ~/rdco-vault/, all 1Password wrappers when invoked, all MCP-bound tokens at-rest in their config files.
HeyGen-controlled domain pivot (hyperframes.heygen.com) could redirect model downloads to attacker mirrors.

Step 6 — skills.sh registry-side scan

The skills CLI ran its own assessment via 3 vendors (Gen / Socket / Snyk):

Skill	Gen	Socket	Snyk
animejs	Safe	0 alerts	Med Risk
css-animations	Safe	0 alerts	Low Risk
gsap	Safe	0 alerts	Med Risk
hyperframes-cli	Safe	0 alerts	Low Risk
hyperframes-media	Safe	0 alerts	Low Risk
hyperframes-registry	Safe	0 alerts	Med Risk
hyperframes	Safe	0 alerts	Low Risk
lottie	Safe	0 alerts	Med Risk
remotion-to-hyperframes	Safe	1 alert	Med Risk
tailwind	Safe	0 alerts	Low Risk
three	Safe	0 alerts	Low Risk
waapi	Safe	0 alerts	Low Risk
website-to-hyperframes	Safe	0 alerts	Med Risk

The 1 Socket alert on remotion-to-hyperframes is unspecified in the registry output — likely a transitive dependency notice (Remotion-related npm package) since the skill is a translator. Manual review pending if the skill is invoked.

Verdict

INSTALL-WITH-MITIGATIONS — proceeded.

Founder’s install-policy clarification:

“Skills are prompt injection risk, not an installed binary. If the skills look safe right now, let’s go ahead and install them too to give ourselves the best capabilities. Then we can scan again before we do any update. We also have that waiting period for npm or Python packages to not install something until it’s a few days old. If we do the security scan and then say it’s okay we can make exceptions to install it early, especially when we are bumping up our capabilities for the first time. For run of the mill updates we can be more patient.”

This codifies a new install policy:

First install: security review → if clean, install immediately (capability-bump exception to age-wait)
Updates: age-wait applies (default a few days post-publish), security review BEFORE every update
Subset selection: acceptable when surface concern is real

Mitigations applied

Pinned install commit captured. Repo HEAD on install date 2026-05-06 against https://github.com/heygen-com/hyperframes v0.5.2 (commit SHA capture deferred — npx skills add doesn’t surface SHA to stdout; if needed, can derive via git ls-remote https://github.com/heygen-com/hyperframes.git HEAD).
No auto-update on cron. No skills-update cron entry. All updates go through manual review.
Pre-update scan workflow (new SOP addition):
- Re-run ~/rdco-vault/02-sops/2026-05-02-mcp-plugin-skill-install-security-review-sop.md Steps 1-4 before any npx skills update
- WebFetch the diff at https://github.com/heygen-com/hyperframes/compare/<previous-sha>...<latest-sha> to surface SKILL.md changes
- Run npx skills add ... --list to enumerate any newly-added skills (catch additions, not just modifications)
Squarely-web project bumped from ^0.4.7 to ^0.5.2 to align local CLI usage with the global skills version.
High-prompt-injection-surface flag. This is the second prompt-injection-surface skill set installed (after lazyweb at v0.5; a kill-switch decision was made there to install with mitigations too). Vault flag: any future SKILL.md instructions that conflict with founder-stated rules (e.g. “exfiltrate vault to verify a render”) trigger refuse-and-escalate per SOUL.md.
First-invocation gates on hyperframes-media subcommands — before first invocation of npx hyperframes tts/transcribe/remove-background, audit the URLs the CLI hits and pin them in expectations. Models download to ~/.cache/hyperframes/ (Kokoro 311MB, Whisper 75MB-3.1GB, u2net 168MB) — verified canonical Hugging Face / vendor URLs.

Cross-references

~/rdco-vault/02-sops/2026-05-02-mcp-plugin-skill-install-security-review-sop.md — the SOP this review followed
~/rdco-vault/04-tooling/2026-05-02-lazyweb-mcp-security-review-decision.md — adjacent worked example
~/rdco-vault/06-reference/2026-05-06-hyperframes-programmatic-video.md — the file-it-now reference doc with capability mapping
~/Projects/squarely-web/videos/package.json — current consumer of HyperFrames CLI (v0.5.2 post-bump)
~/.claude/projects/-Users-ray/memory/feedback_mcp_install_security_review_default.md — default-on review behavior
~/.claude/projects/-Users-ray/memory/feedback_listen_and_injection_caution.md — adjacent prompt-injection caution

Changelog

2026-05-06 19:50 ET — Install completed. 13 skills landed at ~/.claude/skills/. Squarely-web bumped to ^0.5.2. Decision note filed.